IMPLEMENTATION OF NETWORK FORENSICS BASED ON HONEYPOT
Chih-Hung Lin and Chung-Huang Yang
Graduate Institute of Information and Computer Education
National Kaohsiung Normal University
maxlin.kh@gmail.com, chyang@nknucc.nknu.edu.tw
ABSTRACT
For years, numbers of researches had addressed the serious
matters of network attacks, and developed various
technologies such as firewalls and intrusion detection
systems to prevent the malware attacking. Currently,
technologies lack any investigative features because of the
network information gathering is too difficult. In this study,
we designed a network forensics system, which contented
honeypot system to solve the information gathering
problems in the past, and distributed the honeypot system
module at the same time, and even combine with the
Capture-HPC program to check out the traverse web sites
in search of client-side malware. Therefore, the study result
can help investigators gather the evidences about the
network crimes to allow criminals to be prosecuted in court.
Index Terms—Network forensic, honeypot, malware
1. INTRODUCTION
There are a numbers of issues involving information
security that need to be addressed when capturing network
trace on enterprise networks. Recently, researchers utilize
the open source software to collect and analyze malicious
network behaviors from the Internet, and to collect the real-
time log information about the malware attacking. In this
study, we use some software such as honeypot and Capture-
HPC. The Honeypot has proven to be a very effective tool in
proving more about Internet crime like credit card fraud or
malware propagation. Through processing network
forensics, intrusion evidences can be acquired in captured
network traffics or system logs. In this study, we use the
passive detection strategy, such as the p0f to check the type
of the operating system, IP resource, using port, internal
operating system, and network status. For increasing the
sample numbers of the threats attacking information, we
decide to use Nepenthes [1] [2] to collect and analyze the
category of the threats through the virus scanner. In this
system also provide several online tools, such as Nmap and
Capture-HPC to strengthen the exactitude of the collected
information. Through these technologies, network
administrators can easily to analyze the internal situation in
local area networks, and to help network administrators or
IT staffs to against the malicious programs effectively. The
collected information can also provide to the network
forensic investigators as the evidence of crime.
2. RELATED WORK
Network forensics is an important extension to the model of
network security, and it focuses on the capture, recording,
and analysis of network packets and events for investigative
purposes [3]. In some studies we found researchers used
some software, such as honeytraps [4] and NFAT [5] as the
network forensic tools on collecting log part, and some use
the Multi-source logs [6] as the foundation analysis.
Honeytrap is a low-interaction honeypot that also aims to
collect malware in an automated way. Honeytrap is similar
to nepenthes.
Some studies use the capture methods to collect
evidences and logs on networks. They also built the
information platform for network administrators to use on
network forensics. As the result, this study is different from
other normal analysis in monitoring all information of traffic
packets. We provide the evidences by processing the
network forensics method to collect malware behaviors, in
order to ensure the effectiveness of digital evidence and
credibility of the evidence on judicial review.
2.1. Malware Analysis
There are mainly two approaches in malware analysis. One
is static analysis and the other is dynamic analysis [7]. The
major difference is the dynamic analysis has to simulate a
network environment on the server, but not the static
analysis.
The static analysis is a white-box approach in which the
purpose of analyzing the malware samples to help the
network administrators or IT staffs understands the function
of the malware. The most difficult part in this analysis is
how it can be done to analyze the malware when it’s well
camouflaged. Therefore, we need to use virus scanner, such
as ClamAV, AVIRA, and BitDefender to analyze and define
the categories of the threats.
 The dynamic analysis is a black-box approach, in which
apply the sample malware in an emulation network
environment on the server. Using the dynamic analysis tool
such as Autoruns and Capture-BAT observes the action
detail of the malware. Internally, it saves and access the file,
DLLs, registry, and API procedure call. Externally, it
monitors the server access, malware comportment scanning,
and malware downloading. For getting a great quantity of
information, finding and analyzing various threats programs
comportment is necessary.
2.2. Honeypot System
Honeypot system is also called “Malware Collection
System”. The purpose of honeypot system is to protect the
network, detect and scatter attacks from external attackers
and delay the attack on the real objective, to reduce
information security risks. At the same time, the system
simulates the system vulnerability for the attackers to attack,
and find out the attacker. According to the level of
intruder’s interaction, the category of honeypot system has
three different types in interaction frequency [8], low
interaction honeypot, medium interaction and high
interaction honeypot. In functional point of view, it is
divided into production honeypot and research honeypot.
2.2.1. Nepenthes
Currently, there are kinds of honeypot [9] systems, but the
comment used ones are low interaction Honeyd [10] and
Nepenthes. The reason to apply Nepenthes in this study is
Nepenthes technically using malware honeypot, and it uses
modular architecture of low interaction honeypot that
simulate the general server services and common
vulnerability, and extract the threats when interacting with
the malware.
2.2.2. Capture-HPC
Using Capture-HPC [11] [12], one kind of honey client, as a
high interaction web page testing is because it collects
different categories of threats than the Nepenthes. It focuses
on drive-by-download or the threats links in the web page.
These attacking happen in an unaware or miss understand
situation when users are browsing a web page or reading a
HTML type files. These threats attack the common
vulnerability in the application software, such as web
browser, Flash, PDF, Office, etc. Through these common
vulnerabilities can affect the user computers by making the
client application apply the threats programs. These web
page attacking are also called client-side attack.
2.3 Active and Passive Detection
Passive Detection is to listen and receive the data when the
target system sends in any data to the server, and
analyzes these received data. The best place to apply p0f, is
also called passive OS (Operating System) fingerprinting
[13], is the Gateway of the network system, the network
packets throughput. Through this function, we can monitor
the using port, and also analyze the specific port and
network situation [14].
Active detection uses the designed programs to monitor
the network system and operate the security scanning in the
particular computer, and we used the Nmap [15].
2.4 Malware Propagation Model
Malware spreading model can be analyzed from zombie
network and network worm. The theory of zombie network
is from network worm [16]. In order to understand
propagation model [17], we must look into the
characteristics of network worm. Network worm uses TCP
SYN, RST, FIN, etc. to probe the networks [18]. The policy
of scan includes: selective random scan, sequential scan, hit-
list scan, routable scan, DNS scan divide-conquer scan,
passive scan, etc.
Zombie network is a little different from the network
worm. Zombie network is controlled to spread the malware,
and it targets the same segment network address first.
Zombie network has it regional lock and controlled by the
hackers, and its spreading and predicting ways are different
than the network worm.
2.5 Antivirus Malware Definition
Computer virus is as same as the common virus in human
body. It is the created programs that will reproduce and
spread the threats to other disturb servers, and damage the
main server.
Naming a new threats program has its own rules.
Antivirus software industry can create their own names
when finding a new threats program, they normally named
after the capital letter, names, and last letters [19].
Capital Letter: Identify the threats program by its own
category or apply on what particular operating system or
platform.
Names: Threat programs’ name or the description of the
threaten action it has taken.
Last Letter: Same category remarks.
3. SYSTEM ARCHITECTURE
The system architecture is composed of several systems in
major server. The system architecture is shown as Figure 1.
Analyzing the malware network activities can use the low
interaction honeypot (Nepenthes) and high interaction
honeypot (Capture-HPC). Nepenthes program is the
traditional honeypot, and the Capture-HPC is client
honeypot; they have different point usages. Using these two
honeypot systems together, we can obtain the analyzed
information of malware activities on the network. We can
identify exploit code in the intruded zombie network or
embed webpage through the designed honeypot system.
Mention was made about building a honeylab at [20],
but in this study, we have different aims but headed to the
same direction. We used high interaction honeypot-client
honeypot and low interaction honeypot system to provide a
different aims system for other users and researchers to use.
We also create two honeypot systems in our honeypot
system module, and locate them in two different IP network
on the Internet.
The system tries not to appear on the Internet, so we use
the SSL VPN to verify these users when login the system.
The honeypot system will use the firewall to open particular
Figure 3. Nepenthes Module
simulated service port to avoid the attacking security
problems. All collected data in the modules will send back
To complement the information that honeypot system
to the database or show on the web for the researchers to
cannot find out, we use Capture-HPC program to acquire the
access or analyze. The web interface function is shown in
other parts of malware information, because the Capture-
Figure 2.
HPC is analyzing the embedded language through the web
crawler, and getting the malware activities information and
systems through the client-side attack.
The information will send back to the Linux server
when the honeypot system catches the malware log, but the
affected malware will be kept in the VM machine. We can
use the tool that built in the VM machine to analyze the
malware activities. The module is shown in Figure 4.

Figure 1. System Architecture

Figure 4. Capture-HPC Structure

4. EXPERIMENTAL TEST AND ANALYSIS

4.1 Development Tools and Environment

In the low interaction traditional honeypot module, we use

Figure 2. Web Interface Function
In this study, we use Nepenthes, p0f, and ClamAV for
the passive detection to avoid been aware by the attacker or
threats program. To use all the IP information that collected
by Nepenthes program, and inquires to the GeoIP (IP
Geographical Database) to find out the geographic
information of the attackers, such as country, city, longitude,
and latitude. The module is shown in Figure 3.
the Python to create a permanent program to deal with the
information collected by the Nepenthes, and also send the
information back to the database in the main server. The p0f
information needs to operate with the p0f-db, and modify
the source code to achieve the function of deployment of
distributed system, and then spread the information to attain
the purpose of sharing information.
In the high interaction honey client module, we
complete the design of webpage by using the webpage
program and the Capture-HPC, and we also build the web
tools and Capture-HPC interface to display all the web
pages.
4.2 System Function Description Table 2. Site 1 (112.105.219.196) List from IP
Row
To login the system needs to use the SSLVPN to identify
IP Info. Country City Count
the user. After login to the system, the user has to verify the
account name and the password to access the information. 112.104.223.133 Taiwan unknow 168
On the malware system web page, (Fig. 5) the main function 112.105.207.159 Taiwan unknow 160
is to search all the information collected by the honeypot
112.105.243.239 Taiwan unknow 148
system. For more options, the user can use passive OS
fingerprinting. The system also provided Nmap and 112.105.225.223 Taiwan unknow 147
Capture-HPC to support the p0f and passive detection, and 112.105.85.67 Taiwan unknow 127
other network tools, such as Ping, NSLookup and 112.105.84.95 Taiwan unknow 105
Traceroute. 112.105.84.33 Taiwan unknow 104
112.105.88.166 Taiwan unknow 102
112.104.223.94 Taiwan unknow 93
112.105.162.183 Taiwan unknow 9

Figure 5. Malware Web Interface

Table 3. Site 1 (123.204.27.168) Top 10 List from Country
4.3 Study and Analysis Country Info. Count
Taiwan 8480
We list top 10 malware from IPs (see Table 1 and Table 2),
countries (see Table 3), viruses (see Table 4) and OSes (see Japan 374
Table 5). The data from table 1 to 4 are in half year. Table 5 China 222
includes all. Through the statistics, we observe the following Russian Federation 146
information: (1) the spread malware and the major source Philippines 61
are from the same sub network [18]. (2) the most affected India 56
OS is Windows system. According to the analyzing of
Australia 42
particular malware and IP resource, we can understand the
malware network characteristics. United States 23
In this study, we can use these statistical data to search Korea, Republic of 14
for the IP address of the attackers. For instance, input the IP Egypt 3
123.204.132.69 into the interface, we can gather the
information that are as shown in Table 6, Table 7 and Figure Table 4. Site 1 (123.204.27.168) Top 10 List from Virus
6, as the part of the forensics on the internet. Also, by Virus Count
running the Capture-HPC program automatically on the W32.Virut-54 3681
system, researchers can find out the evidences of the
Trojan.Nepoe 1354
attacking, as the log is shown in Figure 7, and the *.pcap
traffic analysis files in Figure 8. unknown 1035
Trojan.Mytenare 1016
Table 1. Site 1 (123.204.27.168) Top 10 List from IP Trojan.SdBot-9861 805
IP Info. Country City Count Worm.Palevo-2646 733
123.204.174.60 Taiwan Taichung 402 Worm.Waledac-953 209
123.204.48.170 Taiwan Taipei 348 Worm.Palevo-548 192
123.204.141.149 Taiwan Taipei 133 Worm.Padobot.M 142
123.204.169.192 Taiwan Taichung 99 Trojan.Small-4287 128
112.105.164.237 Taiwan unknow 78
123.204.26.53 Taiwan Taoyuan 78
123.204.221.156 Taiwan Taipei 69
123.204.124.186 Taiwan Taipei 68
123.204.192.83 Taiwan Taipei 65
123.204.30.156 Taiwan Taoyuan 63
 Table 5. Site 1 (123.204.27.168) Top 10 List from OS 5. CONCLUSIONS
OS Count
Windows 2000 SP4, XP SP1+ 13506 A network forensics system can prove valuable investigative
Windows 2000 SP2+, XP SP1+ 3118 tools on malware attacking information collection. In this
(seldom 98) study, we explored the new topic on the network forensics
Windows 98 (9) 1889 and proposed architecture of network forensics system. We
Windows XP/2000 (RFC1323+, 1064 use the malware collection as a network forensics strategy.
w+, tstamp-) This technique can analyze the logs that are cause by the
Windows XP SP1+, 2000 SP3 701 malware attacking. To combine with the Capture-HPC
program, the system can even check out the traverse web
Windows 2000 SP4, XP SP1+ (2) 654 sites in search of client-side malware. Network forensics
Windows XP/2000 356 investigation can utilize the collected information as the
Windows XP/2000 (RFC1323+, 227 evidences in court. Additionally, the system also provides
w+, tstamp+) four kinds of tools, Ping, NMAP, NSLookup, and
Windows 98 (10) 218 Traceroute, for network forensics investigators to apply into
Linux 2.6 (newer, 3) 192 the evidences investigation.
In order to gather more logs and malware information,
we plan to extend the system with IDS and IDP functions
Table 6. Site1 Malware Search (IP: 123.204.132.69)
for network forensics investigation.
Country OS system NAT
Windows 2000 SP4, XP 6. REFERENCES
Taiwan no/unknown
SP1+ (2)
[1] P.S. Huang, C.H. Yang, and T.N. Ahn, “Design and
Table 7. Site1 Malware Search (IP: 123.204.132.69) implementation of a distributed early warning system combined
with intrusion detection system and honeypot,” International
Google map Firewall Conference on Hybrid Information Technology, August 2009.
25.0391998291016,121.525001525879 no/unknown
[2] Taiwan Honeynet Project, http://www.honeynet.org.tw/

[3] A. Almulhem, and I. Traore, “Experience with engineering a

network forensics system,” Lecture Notes in Computer Science,
vol. 3391, pp. 62–71, Jan. 2005.

[4] A. Yasinsac, and Y. Manzano, “Honeytraps, A Network

Forensic Tool,” Proceedings of the 6th World Multi-conference on
System, Cybernetics, and Informatics (SCI 02), 2002.

[5] V. Corey, C. Peterman, S. Shearin, M.S. Greenberg, and J.V.

Figure 6. Location of 123.204.132.69 Bokkelen, “Network Forensics Analysis,” IEEE Internet
Computing, vol.06, no.6, pp. 60-66, 2002.

[6] C. Lin, Z. li, and G. Gao, “Automated Analysis of Multi-source

Logs for Network Forensics,” 2009 First International Workshop
on Education Technology and Computer Science, vol. 1, pp.660-
Figure 7. Log Information 664, 2009.

[7] D. Inoue, K. Yoshioka, M. Eto, Y. Hoshizawa, and K. Nakao,

“Malware Behavior Analysis in Isolated Miniature Network for
Revealing Malware's Network Activity,” Communications, 2008
ICC '08. IEEE International Conference, Bejing ,pp. 1715-1721,
May 2008.

[8] H. Artaila, H. Safab, M. Sraja, I. Kuwatlya, and Z. Al-Masria,

“A hybrid honeypot framework for improving intrusion detection
systems in protecting organizational networks,” Computers &
Security, Volume 25, Issue 4, pp, 274-288, June 2006.

[9] Taiwan Honeynet Project, ”Collecting Malewae with

Figure 8. Pcap Files on Wireshark Honeypots Part I,” Mar. 2009.
[10] C.H. Yeh, and C.H. Yang, “Design and Implementation of
Honeypot System Based on Open-Source Software,” IEEE
International Conference on Intelligence and Security Informatics
(IEEE ISI 2008), June 2008.
[11] Client Honyepot,
http://en.wikipedia.org/wiki/Client_honeypot
[12] C. Seifert, I. Welch, and P. Komisarczuk, “Identification of
Malicious Web Pages with Static Heuristics,” Telecommunication
Networks and Applications Conference, pp. 91-96, 2008.
[13] P0f, http://freshmeat.net/projects/p0f
[14] T.M. Mullen, “Blocking Traffic by Country on Production
Networks,” Security Focus,
http://www.securityfocus.com/infocus/1900, July 2008.
[15] Nmap, http://insecure.org/nmap/
[16] J.W. Zhuge, X.H. Han, Y.L. Zhou, Z.Y. Ye, and W. Zou,
“Research and development of botnets.” Journal of Software,
19(3), pp. 702−715, 2008. (in Chinese)
[17] Y.D. Sun, and D. Li, “Overview of Botnet,” Computer
Application, 26(7), pp. 1628-1633, 2006. (in Chinese)
[18] W.P. Wen, S.H. Qing, J.C. Jiang, and Y.J. Wang, “Research
and development of Internet worms,” Journal of Software, 15(8),
pp. 1208~1219, 2004. ( in Chinese)
[19] Clamav Malware Name,
http://wiki.clamav.net/bin/view/Main/MalwareNaming
[20] W.Y. Chin, E.P. Markatos, S. Antonatos, and S. Ioannidis,
“HoneyLab: Large-Scale Honeypot Deployment and Resource
Sharing,” Network and System Security, pp. 381-388, Jul 2008.